Get Started with Compliance Fundamentals
From creating a top-notch code of conduct to understanding the role compliance plays in your organization, this is the place to learn the core elements of an effective compliance program.
Each compliance program is unique with disparate risks and various levels of maturity. Although there are a number of nuances determined by your company’s size, industry and location, there are still basic principles that are best practices across the board. In this section you’ll learn about the key skills every compliance professional should have as well as the general knowledge base effective compliance professional have and harness throughout their careers.
Just as there are key skills every modern compliance professional should possess, there are fundamental elements every effective compliance program should practice. This section will introduce you to those key components of a robust compliance program and provide the guidance you need to move your career and program to its next level of sophistication.
Organizations that used proactive data monitoring had 54% lower loss and halved the time to detect the fraud. Similarly, management review and whistleblower hotlines also reduced the losses by 50% and decreased the detection time by 50%.
The most common anti-fraud controls implemented by organizations include an external audit of financial statements (81.7%), code of conduct (81.7%) and an internal audit department (73.7%).
In more than 88% of background checks conducted, no prior misconduct or redflags were discovered since perpetrators are often first-time offenders.
Weak implementation of anti-fraud controls, such as lack of internal controls (29%), overriding of existing internal controls (20%), and lack of management review (19%), often contribute to fraud.
Corruption schemes were often due to a lack of internal controls (29.3%) and overriding of existing internal controls (20.3%).
In a 2013 national survey, 2% of employees witnessed a colleague offering a bribe to a public official.
Almost 20% of employees observe bribery and corruption related misconduct.
Bribery and corruption related misconducted is more likely to be observed at multinational companies (19%) and supplier companies (20%).
In the private sector, 75% of bribery cases involve management.
Corruption cases cost a median loss of $200,000 and occurred 35.4% of the time.
More than 90% of CCOs report their Board or a committee of the Board is adequately informed of compliance risks and mitigation efforts. The group meets annually to review and approve the compliance program.
36% of CCOs do not know, or disagree, that their lines of business management take ownership of the compliance culture and agenda. Only 15% of CCOs strongly agree with this statement, indicating that for many organizations room exists for growth.
31% of CCOs do not know, or do not communicate, conduct and culture lessons across their organizations. Further, 29% of CCOs have not documented, or do not know if they have, formalized compliance roles and responsibilities for their staff—it is foundational for employees to understand the importance of compliance and their role within the compliance structure.
While CCOs report that they address compliance infractions in a timely manner and with appropriate disciplinary actions, almost 4 in 10 CCOs (39%) do not consider (or do not know if their organization considers) employee adherence to compliance policies and procedures as a factor in performance ratings and compensation decisions.
Only 29% of organizations report that they assess compliance proficiencies and skills of their staff on an ongoing basis.
At least 94% of organizations report that compliance requirements are embedded within their policies and procedures and separately also within their code of conduct, which is accessible to all employees.
Only 27% of CCOs strongly agree that the compliance function has a change management process in place to identify and incorporate changes in laws and regulations and to incorporate such changes into their policies and procedures.
While 84% of CCOs report having a compliance risk assessment process that leverages qualitative and quantitative measurements, 32% do not agree or do not know if their business unit, operations, and IT management are involved in assessing compliance risk within their units. In addition, roughly one-third of CCOs do not (or do not know if they) conduct reassessments of their risk profiles upon business changes.
Only 69% of CCOs say their organization leverages technology to support its compliance initiatives, while less than half—just 47%—say they use data analytics and other technology processes to conduct root cause and trending analysis.
33% of CCOs report they do not have, or do not know if their compliance testing program includes transactional, process, and controls testing, and only 27% of CCOs strongly agree that they monitor and track for regulatory changes.
84% of organizations provide reports on the enterprise-wide state of compliance including culture, conduct, governance, and key issues. Yet, only 47% of CCOs say their organization has an enterprise-wide reporting system that is integrated with compliance monitoring and across functions and business units.
Slightly more than half of organizations have a compliance monitoring process to confirm that third-party vendors adhere to compliance due diligence processes, and just 31% manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring KRIs/KPIs.
In a 2015 survey, 30% of compliance professionals in the United States do not measure the effectiveness of their compliance programs.
Similarly, in a 2016 survey, 44% of organizations do not measure the effectiveness of their policy management program.
Almost two-thirds of organizations (63%) believe that their policy management program helps reduce the legal cost and resolution time of regulatory issues and fines.
Corporate fraud caused losses of $1 million or more in 23% of cases studied.
8.4% of organizations victimized by fraud were fined as a result of the fraud.
The most common form of fraud was asset appropriation (> 83%) costing a median loss of $125,000. Meanwhile, financial statement fraud occurred in less than 10% of cases but cost a median loss of $975,000.
The accounting department is responsible for more occupational frauds than any other business unit (16.6%). Individuals from accounting, operations, sales, executive/upper management, customer service, purchasing and finance committed three-fourths of all frauds analyzed in the study(Association of Certified Fraud Examiners.
The median loss per fraudulent case when committed by an owner/executive was $703,000. By contrast, when the fraud is committed by a manager or employee, the median loss was much less, at $1730,00 and $65,000 respectively.
The perpetrator attempted to conceal the fraud in 94.5% of the cases studied.
In a 2013 national survey, 3% of employees were aware of financial reports that contained misleading information.
The average time to discover a data breach takes 201 days and the mean time to contain a breach is 70 days. Companies that discover a data breach within the first 100 days spend about $1 million less on average than those that discover later on.
60% of 200 security leaders surveyed indicated that their organizations were victims of at least one social engineering attack in the past year. Employees’ credentials were compromised in 65% of the cases.
A hacker used social engineering to obtain information on 20,000 FBI agents and 9,000 Department of Homeland Security officials.
In 2011, EMC spent $66 million to recover from a cyber-attack that began with an employee opening an attached excel file labeled ‘2011 Recruitment Plan’.
Phishing via links in emails represents 88% of all reported phishing.
Having an incident response team can lower the cost by $16 per stolen record. Other measures, such as use of encryption ($13 saved per stolen record), employee training ($9), threat sharing ($9), and appointing a chief information security officer ($7) can also lower the cost per stolen record.
An annual preparedness study found that 81% of organizations have a data breach response plan in place.
37% of companies that participated in the study do not have procedures in place for data breaches that occur overseas.
Only 25% of companies in the annual preparedness study update data breach response plans once or twice a year.
25% of companies that participated in the study have not reviewed the incident response plans of their 3rd party partners.
According to research conducted between January 2015 and July 2016, office-themed email phishing simulations have the highest rates of success, at 20%.
Malicious or criminal attacks were responsible for 48% of all breaches in the 2016 study. The average cost to resolve a malicious attack was $170 per record. Other reasons, such as system glitches or human errors cost $133 per record.
Among organizations currently using or considering GRC technology solutions, nearly two thirds (61%) expect to spend more money on enterprise GRC platforms in the next three years.
In a 2014 national survey, 27% of American workers (37 million) indicated that they have been the victim of abusive conduct at work.
56% of bullies are people in positions of authority.
Less than 20% of American employers take actions to stop workplace bullying.
To escape bullying, 48% of the bullied targets quit their jobs. Additionally, 13% of targets are fired from their jobs.
Keeping policies current with changing regulations is the number one challenge for 47% of organizations. Related, it was also noted that training employees (40%) and managing policy version control (32%) constituted significant challenges.
In 2012, 40% of senior risk executives working for large organizations were very or extremely concerned about their existing risk system’s ability to adapt to forthcoming regulatory requirements. 44% of respondents from mid-size organizations and 12% from smaller institutions shared similar strong concerns.
In the past three years, 44% of organizations have faced “legal or external regulatory actions where a policy came under review as part of the action or defense”.
In a 2016 survey of risk management employers, two thirds (68%) feel that their compliance department is “insufficiently resourced for the demands made on it”, representing an increase from 55% in 2015.
In a 2016 survey, 47% of surveyed internal auditors feel that their internal audit department is “sufficiently resourced for the demands that are made on it”.
Almost a quarter of organizations have a third-party risk management budget of less than $50,000.
Around half (51%) of financial service firms globally have a senior manager responsible for conduct risk. There is a degree of regional variation, with respondents in Australasia reporting that only 28% of firms have a senior manager for conduct risk.
Approximately one third (median value 36%) of whistleblowers experience retaliation across 13 countries surveyed.
34% of American workers do not speak up about misconduct due to fear of retaliation from senior leadership. Additionally, 30% were concerned about payback from a supervisor and 24% were worried about their co-workers retaliating.
During a two to three year cycle, organizations will provide training on an average of 12 topical areas. The top three topics most likely to be covered by training programs within the next two to three years include code of conduct (93%), conflict of interest (76%), cybersecurity (69%).
Only 12% of organizations have an advanced compliance and ethics training program. Nearly 40% of organizations rate their programs as basic or reactive.
More than one half (51%) of respondents have implemented some form of training on conduct risk. More than one-third of firms (37%) have not done so, but feel they need to.
23% of companies do not have a formal compliance training plan in place.
Only 13% of Boards are given training on cybersecurity.
Organizations with reporting hotlines detected fraud through tips 47.3% of the time whereas organizations without hotlines only detected 28.2% of fraudulent cases through tips.
In organizations that have a formal reporting structure, telephone hotlines were the most common method to report a tip (39.5%). However, all forms of online reporting (such as email (34.1%) and web-based or online form (23.5%)) combine to make the Internet a more popular reporting method.
Whistleblowers report fraud to their direct supervisors 20.6% of the time and company executives 18% of the time in the cases studied.
However, it should be noted that the Ethics Resource Center reports 56% of initial complaints are made to direct supervisors.
The time it takes to close a case is increasing year over year. The case closure time in 2011 was a median of 32 days vs. a median of 46 days in 2015.
Over a six year span, the number of tips that are determined to have merit has increased from 30% in 2010 to 41% in 2015.
According to the Ethics Resource Center 91% of whistleblower tips are first reported internally. If not addressed properly, 84% of those go on to report the misconduct externally.
Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied.
According to the Ethics Resource Center 91% of whistleblower tips are first reported internally. If not addressed properly, 84% of those go on to report the misconduct externally.
Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied.
Organizations that used proactive data monitoring had 54% lower loss and halved the time to detect the fraud. Similarly, management review and whistleblower hotlines also reduced the losses by 50% and decreased the detection time by 50%.
The most common anti-fraud controls implemented by organizations include an external audit of financial statements (81.7%), code of conduct (81.7%) and an internal audit department (73.7%).
In more than 88% of background checks conducted, no prior misconduct or redflags were discovered since perpetrators are often first-time offenders.
Weak implementation of anti-fraud controls, such as lack of internal controls (29%), overriding of existing internal controls (20%), and lack of management review (19%), often contribute to fraud.
Corruption schemes were often due to a lack of internal controls (29.3%) and overriding of existing internal controls (20.3%).
In a 2013 national survey, 2% of employees witnessed a colleague offering a bribe to a public official.
Almost 20% of employees observe bribery and corruption related misconduct.
Bribery and corruption related misconducted is more likely to be observed at multinational companies (19%) and supplier companies (20%).
In the private sector, 75% of bribery cases involve management.
Corruption cases cost a median loss of $200,000 and occurred 35.4% of the time.
More than 90% of CCOs report their Board or a committee of the Board is adequately informed of compliance risks and mitigation efforts. The group meets annually to review and approve the compliance program.
36% of CCOs do not know, or disagree, that their lines of business management take ownership of the compliance culture and agenda. Only 15% of CCOs strongly agree with this statement, indicating that for many organizations room exists for growth.
31% of CCOs do not know, or do not communicate, conduct and culture lessons across their organizations. Further, 29% of CCOs have not documented, or do not know if they have, formalized compliance roles and responsibilities for their staff—it is foundational for employees to understand the importance of compliance and their role within the compliance structure.
While CCOs report that they address compliance infractions in a timely manner and with appropriate disciplinary actions, almost 4 in 10 CCOs (39%) do not consider (or do not know if their organization considers) employee adherence to compliance policies and procedures as a factor in performance ratings and compensation decisions.
Only 29% of organizations report that they assess compliance proficiencies and skills of their staff on an ongoing basis.
At least 94% of organizations report that compliance requirements are embedded within their policies and procedures and separately also within their code of conduct, which is accessible to all employees.
Only 27% of CCOs strongly agree that the compliance function has a change management process in place to identify and incorporate changes in laws and regulations and to incorporate such changes into their policies and procedures.
While 84% of CCOs report having a compliance risk assessment process that leverages qualitative and quantitative measurements, 32% do not agree or do not know if their business unit, operations, and IT management are involved in assessing compliance risk within their units. In addition, roughly one-third of CCOs do not (or do not know if they) conduct reassessments of their risk profiles upon business changes.
Only 69% of CCOs say their organization leverages technology to support its compliance initiatives, while less than half—just 47%—say they use data analytics and other technology processes to conduct root cause and trending analysis.
33% of CCOs report they do not have, or do not know if their compliance testing program includes transactional, process, and controls testing, and only 27% of CCOs strongly agree that they monitor and track for regulatory changes.
84% of organizations provide reports on the enterprise-wide state of compliance including culture, conduct, governance, and key issues. Yet, only 47% of CCOs say their organization has an enterprise-wide reporting system that is integrated with compliance monitoring and across functions and business units.
Slightly more than half of organizations have a compliance monitoring process to confirm that third-party vendors adhere to compliance due diligence processes, and just 31% manage third-party risk and issue tracking through an enterprise-wide tool capable of monitoring KRIs/KPIs.
In a 2015 survey, 30% of compliance professionals in the United States do not measure the effectiveness of their compliance programs.
Similarly, in a 2016 survey, 44% of organizations do not measure the effectiveness of their policy management program.
Almost two-thirds of organizations (63%) believe that their policy management program helps reduce the legal cost and resolution time of regulatory issues and fines.
Corporate fraud caused losses of $1 million or more in 23% of cases studied.
8.4% of organizations victimized by fraud were fined as a result of the fraud.
The most common form of fraud was asset appropriation (> 83%) costing a median loss of $125,000. Meanwhile, financial statement fraud occurred in less than 10% of cases but cost a median loss of $975,000.
The accounting department is responsible for more occupational frauds than any other business unit (16.6%). Individuals from accounting, operations, sales, executive/upper management, customer service, purchasing and finance committed three-fourths of all frauds analyzed in the study(Association of Certified Fraud Examiners.
The median loss per fraudulent case when committed by an owner/executive was $703,000. By contrast, when the fraud is committed by a manager or employee, the median loss was much less, at $1730,00 and $65,000 respectively.
The perpetrator attempted to conceal the fraud in 94.5% of the cases studied.
In a 2013 national survey, 3% of employees were aware of financial reports that contained misleading information.
The average time to discover a data breach takes 201 days and the mean time to contain a breach is 70 days. Companies that discover a data breach within the first 100 days spend about $1 million less on average than those that discover later on.
60% of 200 security leaders surveyed indicated that their organizations were victims of at least one social engineering attack in the past year. Employees’ credentials were compromised in 65% of the cases.
A hacker used social engineering to obtain information on 20,000 FBI agents and 9,000 Department of Homeland Security officials.
In 2011, EMC spent $66 million to recover from a cyber-attack that began with an employee opening an attached excel file labeled ‘2011 Recruitment Plan’.
Phishing via links in emails represents 88% of all reported phishing.
Having an incident response team can lower the cost by $16 per stolen record. Other measures, such as use of encryption ($13 saved per stolen record), employee training ($9), threat sharing ($9), and appointing a chief information security officer ($7) can also lower the cost per stolen record.
An annual preparedness study found that 81% of organizations have a data breach response plan in place.
37% of companies that participated in the study do not have procedures in place for data breaches that occur overseas.
Only 25% of companies in the annual preparedness study update data breach response plans once or twice a year.
25% of companies that participated in the study have not reviewed the incident response plans of their 3rd party partners.
According to research conducted between January 2015 and July 2016, office-themed email phishing simulations have the highest rates of success, at 20%.
Malicious or criminal attacks were responsible for 48% of all breaches in the 2016 study. The average cost to resolve a malicious attack was $170 per record. Other reasons, such as system glitches or human errors cost $133 per record.
Among organizations currently using or considering GRC technology solutions, nearly two thirds (61%) expect to spend more money on enterprise GRC platforms in the next three years.
In a 2014 national survey, 27% of American workers (37 million) indicated that they have been the victim of abusive conduct at work.
56% of bullies are people in positions of authority.
Less than 20% of American employers take actions to stop workplace bullying.
To escape bullying, 48% of the bullied targets quit their jobs. Additionally, 13% of targets are fired from their jobs.
Keeping policies current with changing regulations is the number one challenge for 47% of organizations. Related, it was also noted that training employees (40%) and managing policy version control (32%) constituted significant challenges.
In 2012, 40% of senior risk executives working for large organizations were very or extremely concerned about their existing risk system’s ability to adapt to forthcoming regulatory requirements. 44% of respondents from mid-size organizations and 12% from smaller institutions shared similar strong concerns.
In the past three years, 44% of organizations have faced “legal or external regulatory actions where a policy came under review as part of the action or defense”.
In a 2016 survey of risk management employers, two thirds (68%) feel that their compliance department is “insufficiently resourced for the demands made on it”, representing an increase from 55% in 2015.
In a 2016 survey, 47% of surveyed internal auditors feel that their internal audit department is “sufficiently resourced for the demands that are made on it”.
Almost a quarter of organizations have a third-party risk management budget of less than $50,000.
Around half (51%) of financial service firms globally have a senior manager responsible for conduct risk. There is a degree of regional variation, with respondents in Australasia reporting that only 28% of firms have a senior manager for conduct risk.
Approximately one third (median value 36%) of whistleblowers experience retaliation across 13 countries surveyed.
34% of American workers do not speak up about misconduct due to fear of retaliation from senior leadership. Additionally, 30% were concerned about payback from a supervisor and 24% were worried about their co-workers retaliating.
During a two to three year cycle, organizations will provide training on an average of 12 topical areas. The top three topics most likely to be covered by training programs within the next two to three years include code of conduct (93%), conflict of interest (76%), cybersecurity (69%).
Only 12% of organizations have an advanced compliance and ethics training program. Nearly 40% of organizations rate their programs as basic or reactive.
More than one half (51%) of respondents have implemented some form of training on conduct risk. More than one-third of firms (37%) have not done so, but feel they need to.
23% of companies do not have a formal compliance training plan in place.
Only 13% of Boards are given training on cybersecurity.
Organizations with reporting hotlines detected fraud through tips 47.3% of the time whereas organizations without hotlines only detected 28.2% of fraudulent cases through tips.
In organizations that have a formal reporting structure, telephone hotlines were the most common method to report a tip (39.5%). However, all forms of online reporting (such as email (34.1%) and web-based or online form (23.5%)) combine to make the Internet a more popular reporting method.
Whistleblowers report fraud to their direct supervisors 20.6% of the time and company executives 18% of the time in the cases studied.
However, it should be noted that the Ethics Resource Center reports 56% of initial complaints are made to direct supervisors.
The time it takes to close a case is increasing year over year. The case closure time in 2011 was a median of 32 days vs. a median of 46 days in 2015.
Over a six year span, the number of tips that are determined to have merit has increased from 30% in 2010 to 41% in 2015.
According to the Ethics Resource Center 91% of whistleblower tips are first reported internally. If not addressed properly, 84% of those go on to report the misconduct externally.
Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied.
According to the Ethics Resource Center 91% of whistleblower tips are first reported internally. If not addressed properly, 84% of those go on to report the misconduct externally.
Whistleblower hotlines are only implemented in 60.1% of organizations. In small organizations, hotlines are only implemented in 25.7% of the cases studied.
Advanced understanding of ethics through more intensive training elevates the workplace and replaces reaction with supportive behavior.
Whether an entry level employee or top executive, the Compliance statistics list is a MUST READ. As an employee, share these astounding statistics with your employer so the organization knows the importance of a Compliance Program. As a top executive, realize your organization will be affected by one of more of these things eventually. Study these statistics and get something in place to protect the employees and your organization.
I love this list of statistics. Companies believe that it will never happen to them. With whistleblowing on the rise, and almost 30% of the workforce stating that they have been the victim of harassment - it can, and quite likely happen to anyone. Give your employees a voice, and a way to speak up without fear of harassment or retaliation. People first.
This is good stuff. First time I have seen stats on compliance. I can use this as a baseline.